REMARKS 

The Office Action dated August 9, 2007 has been received and carefully noted. 
The above amendments to the claims, and the following remarks, are submitted as a full 
and complete response thereto. 

Claims 1-3, 7-10, 12-15, and 17-18 have been amended to more particularly point 
out and distinctly claim the subject matter of the invention. No new matter has been 
added. Therefore, claims 1-18 are currently pending in the application and are 
respectfully submitted for consideration. 

Applicants wish to thank the Examiner for the withdrawal of the rejections under 
35 U.S.C. § 112, second paragraph. 

The Office Action rejected claims 2, 8, 13, and 17-18 under 35 U.S.C. § 102(e) as 
being anticipated by U.S. Patent No. 6,370,380 ("Norefors"). The rejection is 
respectfully traversed for at least the following reasons. 

Claim 2 recites a method of validating information of a mobile node within a 
candidate access router discovery procedure in a mobile internet protocol environment. 
The method includes generating a token by a first access router to which the mobile node 
was previously attached. The method further includes sending the token from the first 
access router to the mobile node within a message comprising a list of candidate access 
routers. The method further includes sending the token from the mobile node to a second 
access router as selected candidate after a handover procedure between the first and 
second access routers. The method further includes sending the token within an 
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exchange between the access routers specific to the discovery procedure from the second 
access router back to the first access router for verification. 

Claim 8 recites a system for validating information of a mobile node within a 
candidate access router discovery procedure in a mobile internet protocol environment. 
The system includes a first access router, the mobile node, and a second access router. 
The first access router includes a generating unit configured to generate a token, and first 
sending unit configured to send the token to the mobile node within a message 
comprising a list of candidate access routers. The mobile node includes a second sending 
unit configured to send the token to the second access router as selected candidate after a 
handover procedure between the access routers. The second access router includes a 
third sending unit configured to send the token within an exchange between the access 
routers specific to the discovery procedure back to the first access router and a 
verification unit configured to verify the token. 

Claim 13 recites an access router for validating information of a mobile node in a 
mobile internet protocol. The access router includes a generating unit configured to 
generate a token. The access router further includes a first sending unit configured to 
send the token to the mobile node within a message comprising a list of candidate access 
routers. The access router further includes a second sending unit configured to send the 
token within an exchange with another access router specific to the discovery procedure 
to the other access router. The access router further includes a verification unit 
configured to verify the token. 
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Claim 17 recites a system for validating information of a mobile node within a 
candidate access router discovery procedure in a mobile internet protocol environment. 
The system includes a first access router, the mobile node and a second access router. 
The first access router includes generating means for generating a token, and first sending 
means for sending the token to the mobile node within a message comprising a list of 
candidate access routers. The mobile node includes second sending means for sending 
the token to the second access router as selected candidate after a handover procedure 
between the access routers. The second access router includes third sending means for 
sending the token within an exchange between the access routers specific to the discovery 
procedure back to the first access router and verification means for verifying the token. 

Claim 18 recites an apparatus for validating information of a mobile node in a 
mobile internet protocol. The apparatus includes generating means for generating a 
token. The apparatus further includes first sending means for sending the token to the 
mobile node within a message comprising a list of candidate access routers. The 
apparatus further includes second sending means for sending the token within an 
exchange with another access router specific to the discovery procedure to the other 
access router. The apparatus further includes verification means for verifying the token. 

Thus, according to embodiments of the invention, denial-of-service attacks can be 
reduced while implementing a Candidate Access Router Discovery ("CARD") protocol. 
Specifically, according to embodiments of the invention, a smart cache replacement 
policy is employed to ensure that valid cache entries are given highest priority and that 
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information gathered from locally connected mobile terminals is favored, which 
inherently diminishes the effect of a distributed denial-of-service attack. 

As will be discussed below, Norefors fails to disclose or suggest all of the 
elements of the claims, and therefore fails to provide the advantages and features 
discussed above. 

Norefors generally describes, in a mobile, wireless telecommunication network, a 
method for achieving secure handover of a mobile terminal from a first access point to a 
second access point, wherein the first access point and the second access point are 
physically connected through a fixed network. Norefors generally describes that this is 
accomplished by transmitting a security token from the first access point to the mobile 
terminal, and then from the mobile terminal to the second access point, over the radio 
interface. 

Applicants respectfully submit that Norefors fails to disclose, teach, or suggest, all 
of the elements of the present claims. Norefors does not disclose, teach, or suggest, at 
least, "generating a token by a first access router to which the mobile node was 
previously attached;" "sending the token from the first access router to the mobile node 
within a message comprising a list of candidate access routers;" "sending the token from 
the mobile node to a second access router as selected candidate after a handover 
procedure between the first and second access routers;" and "sending the token within an 
exchange between the access routers specific to the discovery procedure from the second 
access router back to the first access router for verification," as recited in claim 2. 
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Norefors also does not disclose, teach, or suggest, at least, "a first access router;" "said 
mobile node and a second access router;" "wherein, the first access router includes a 
generating unit configured to generate a token, first sending unit configured to send the 
token to the mobile node within a message comprising a list of candidate access routers;" 
"wherein the mobile node includes second sending unit configured to send the token to 
the second access router as selected candidate after a handover procedure between the 
access routers;" and "wherein the second access router includes a third sending unit 
configured to send the token within an exchange between the access routers specific to 
the discovery procedure back to the first access router and a verification unit configured 
to verify the token," as recited in claim 8 and similarly recited in claim 17. Norefors also 
does not disclose, teach, or suggest, at least, "an access router for validating information 
of a mobile node in a mobile internet protocol;" "a first sending unit configured to send 
the token to the mobile node within a message comprising a list of candidate access 
routers;" and "a second sending unit configured to send the token within an exchange 
with another access router specific to the discovery procedure to the other access router," 
as recited in claim 13 and similarly recited in claim 18. 

Norefors discloses a wireless network which includes a number of fixed radio 
stations which Norefors identifies as "base stations" or "access points" (column 1, lines 
10-18). The Office Action takes the position that by disclosing such an access point, 
Norefors discloses an "access router" as recited in claims 2, 8, 13, and 17-18. Applicants 
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respectfully submit that Norefors' access points do not disclose an "access router" as 
recited in claims 2, 8, 13, and 17-18. 

At paragraph 0059, the specification of the present application states the 
following: "[t]he term 'access router' should be understood to include computer- 
implemented devices that route packets, such as IP packets, to addresses in a network 
based on routing information. However, it should be understood that access routers are 
distinct from base stations/access points, which may rely on different transmission 
schemes to transmit information (e.g. GSM or CDMA). One or more base stations could 
be associated with a single access router, as shown in FIG. L Alternatively, more than 
one access router could be associated with a single base station. " Thus, the specification 
of the present invention makes clear that a base station or an access point is distinct from 
an "access router" as recited in claims 2, 8, 13, and 17-18. 

In contrast, as described above, Norefors merely discloses a method for a secure 
handover between access points to a wireless network. As described above, Norefors 
discloses that Norefors' fixed network portion of a wireless network is connected to a 
number of fixed radio stations known as base stations or access points. Norefors further 
discloses a technique for securing communications for a mobile terminal during a 
handover procedure from a first access point to a second access point. Nowhere does 
Norefors disclose an access router, a plurality of access routers, or a handover procedure 
from a first access router to a second access router. Furthermore, as discussed above, an 
"access router" in the present invention can consist of a plurality of access points. Yet, 
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Norefors does not disclose a handover procedure from a plurality of access points to a 
second plurality of access points; Norefors merely discloses a handover from a single 
access point to another single access point. Accordingly, Applicants respectfully submit 
that Norefors fails to disclose any such feature involving an access router. Such 
considerations are simply not made by Norefors. 

Therefore, Applicants respectfully assert that Norefors fails to disclose, teach, 
or suggest, at least, an "access router" as recited in claims 2, 8, 13, and 17-18. 
Furthermore, because Norefors fails to disclose, teach, or suggest an "access router," 
Applicants respectfully assert that Norefors fails to disclose, teach, or suggest, at least 
"generating a token by a first access router to which the mobile node was previously 
attached," "sending the token from the first access router to the mobile node within a 
message comprising a list of candidate access routers," "sending the token from the 
mobile node to a second access router as selected candidate after a handover procedure 
between the first and second access routers," and "sending the token within an exchange 
between the access routers specific to the discovery procedure from the second access 
router back to the first access router for verification," as recited in claim 2; "a first access 
router," "said mobile node and a second access router," "wherein, the first access router 
includes a generating unit configured to generate a token, first sending unit configured to 
send the token to the mobile node within a message comprising a list of candidate access 
routers," "wherein the mobile node includes second sending unit configured to send the 
token to the second access router as selected candidate after a handover procedure 
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between the access routers," and "wherein the second access router includes a third 
sending unit configured to send the token within an exchange between the access routers 
specific to the discovery procedure back to the first access router and a verification unit 
configured to verify the token," as recited in claim 8 and similarly recited in claim 17; 
"an access router for validating information of a mobile node in a mobile internet 
protocol/ 5 "a first sending unit configured to send the token to the mobile node within a 
message comprising a list of candidate access routers," and "a second sending unit 
configured to send the token within an exchange with another access router specific to the 
discovery procedure to the other access router," as recited in claim 13 and similarly 
recited in claim 18. 

For at least all the reasons discussed above, Norefors does not disclose, teach, or 
suggest, all of the elements of claims 2, 8, 13, and 17-18. 

The Office Action rejected claims 1, 3-5, 7, 9-10, 12, and 14-16 under 35 U.S.C. § 
103(a) as being unpatentable over U.S. Patent No. 6,137,791 ("Frid") in view of 
Norefors. The rejection is respectfully traversed for at least the following reasons. 

Claim 1, upon which claims 3-6 are dependent, recites a method of reducing 
denial-of-service attacks by malicious mobile nodes in a mobile internet protocol (IP) 
environment. The method includes maintaining, by each of a plurality of access routers 
within the mobile IP environment, a cache of neighboring access routers as candidates 
and their associated access points. The method further includes populating the caches 
with cache entries in response to actions initiated by mobile nodes. Each cache entry is 
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tagged with an identity of an action initiating mobile node, which identity is based on 
information that is verifiable by the access routers and which cannot be modified 
arbitrarily by the mobile node. A total number of entries that can be tagged and thus 
introduced into a cache by any given node is limited. 

Claim 7, upon which claims 9-11 are dependent, recites a system for reducing 
denial-of-service attacks by malicious mobile nodes in a mobile internet protocol (IP) 
environment. The system includes a plurality of access routers within the mobile IP 
environment, each router configured to maintain a cache of neighboring access routers as 
candidates and their associated access points. The system further includes a plurality of 
mobile nodes which are capable of populating the caches in response to actions initiated. 
The cache is configured such that each cache entry is tagged with an identity of the action 
initiating mobile node having thus created the entry, and that a total number of entries 
that can be tagged and thus introduced into the cache by any given node is limited. 

Claim 12, upon which claims 14-16 are dependent, recites an access router for 
reducing denial-of-service attacks by malicious mobile nodes in a mobile internet 
protocol. The access router includes a cache of neighboring access routers as candidates 
and their associated access points. The cache is arranged such that each cache entry is 
tagged with the identity of the mobile node having initiated the entry creation, and that 
the total number of entries that can be tagged and thus introduced into the cache by any 
given node is limited. 
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The discussion of Norefors is incorporated herein. Frid generally describes a 
roaming mechanism enabling a mobile station to roam between a first data packet 
network utilizing a Mobile IP Method (MIM) and a second data packet network utilizing 
a Personal Digital Cellular Mobility Method (PMM) is disclosed. In Frid, a foreign agent 
is introduced into the PMM network for enabling a mobile station associated with the 
MIM network and currently roaming within the PMM network to communicate packet 
data with an associated home agent. A home agent is further introduced into the PMM 
network for enabling a mobile station associated with the PMM network and currently 
roaming within the MIM network to communicate packet data with an associated foreign 
agent or Mobile IP Client Emulator (MICE) currently serving the roaming mobile station. 

The Office Action took the position that Frid discloses all the elements of claims 
1, 7, and 12, except "maintaining, by each of a plurality of access routers within the 
mobile IP environment, a cache of neighboring access routers as candidates and their 
associated access points," as recited in claim 1 ; "a plurality of access routers within the 
mobile IP environment, each router maintaining a cache of neighboring access routers as 
candidates and their associated access points," as recited in claim 7; and "a cache of 
neighboring access routers as candidates and their associated access points," as recited in 
claim 12. The Office Action further took the position that Norefors cures the deficiencies 
of Frid and that "it would have been obvious to a person skilled in the art at the time the 
invention was made to incorporate the teaching of Norefors . . . into the teaching of Frid 
... in order to protect the system against intruders." 
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Applicants respectfully submit that Frid and Norefors, whether considered alone 
or in combination, fail to disclose, teach or suggest, all of the elements of the present 
claims. The combination of Frid and Norefors fails to disclose, teach or suggest, at least, 
"maintaining, by each of a plurality of access routers within the mobile IP environment, a 
cache of neighboring access routers as candidates and their associated access points," as 
recited in claim 1 ; "a plurality of access routers within the mobile IP environment, each 
router maintaining a cache of neighboring access routers as candidates and their 
associated access points," as recited in claim 7; and "a cache of neighboring access 
routers as candidates and their associated access points," as recited in claim 12. 

In the context of embodiments of the present invention, two access routers are 
considered neighbors if the access routers have associated base stations with overlapping 
coverage areas (Specification, paragraph 0009). As the Office Action correctly realizes, 
Frid fails to disclose, teach, or suggest at least "maintaining, by each of a plurality of 
access routers within the mobile IP environment, a cache of neighboring access routers as 
candidates and their associated access points," as recited in claim 1; "a plurality of access 
routers within the mobile IP environment, each router maintaining a cache of neighboring 
access routers as candidates and their associated access points," as recited in claim 7; and 
"a cache of neighboring access routers as candidates and their associated access points," 
as recited in claim 12 because Frid fails to disclose, teach, or suggest "a plurality of 
access routers" and "neighboring access routers." Instead, Frid discloses a plurality of 
base stations which provide radio coverage over a plurality of geographic areas, where a 
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particular base station connects to an associated visited mobile switching center for 
routing and processing communicated data (column 4, lines 14-18). Frid further 
discloses that whenever a particular mobile station travels into a particular geographic 
area, a base station serving that geographic area transmits identification data informing 
the mobile station of the current location, and that based on said identification data, the 
mobile station registers with a new visited mobile switching center (column 4, lines 28- 
36). However, Frid fails to disclose associated visited mobile switching centers that have 
associated base stations with overlapping coverage areas. Thus, Frid fails to disclose, 
teach, or suggest, "neighboring access routers" and thus, fails to disclose, teach or 
suggest, at least, "maintaining, by each of a plurality of access routers within the mobile 
IP environment, a cache of neighboring access routers as candidates and their associated 
access points," as recited in claim 1 ; "a plurality of access routers within the mobile IP 
environment, each router maintaining a cache of neighboring access routers as candidates 
and their associated access points," as recited in claim 7; and "a cache of neighboring 
access routers as candidates and their associated access points," as recited in claim 12. 

Furthermore, Norefors fails to cure the deficiencies of Frid. As describe above, 
Norefors fails to disclose, teach, or suggest, an "access router" as recited in the present 
claims, because Norefors discloses base stations, or access points, which are distinct from 
"access routers." Thus, for similar reasons why Norefors fails to disclose, teach, or 
suggest "access router" in the present claims, Norefors fails to disclose, teach, or suggest 
"neighboring access routers" as recited in claims 1, 7, and 12. Therefore, because the 
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combination of Frid and Norefors fails to disclose, teach, or suggest "neighboring access 
routers," the combination of Frid and Norefors fails to disclose, teach or suggest, at least, 
"maintaining, by each of a plurality of access routers within the mobile IP environment, a 
cache of neighboring access routers as candidates and their associated access points," as 
recited in claim 1 ; "a plurality of access routers within the mobile IP environment, each 
router maintaining a cache of neighboring access routers as candidates and their 
associated access points," as recited in claim 7; and "a cache of neighboring access 
routers as candidates and their associated access points," as recited in claim 12. 

For at least all the reasons discussed above, the combination of Frid and Norefors 
does not disclose, teach, or suggest, all of the elements of claims 1, 7, and 12. 

Claims 3-5, 9-10, and 14-16 are dependent upon claims 1, 7, and 12, respectively. 
Accordingly, claims 3-5, 9-10, and 14-16 should be allowed for at least their dependence 
upon claims 1, 7, and 12, and for the specific limitations recited therein. 

In a previous Office Action, dated February 9, 2007 ("Previous Office Action"), 
claims 6 and 1 1 were objected to as being dependent upon a rejected base claim. The 
Previous Office Action also indicated that claims 6 and 11 would be allowable if 
rewritten in independent form including all of the limitations of the base claim and any 
intervening claims. The current Office Action does not discuss claims 6 and 11. Thus, 
Applicants presume that the current Office Action also objects to claims 6 and 1 1 as 
being dependent upon a rejected base claim, but indicates that claims 6 and 1 1 would be 
allowable if rewritten in independent form including all of the limitations of the base 
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claim and any intervening claims. If Applicants' presumption is incorrect, then 
Applicants respectfully request that the Examiner issue a new non-final Office Action 
detailing the status of claims 6 and 1 1 . Applicants further assert that claims 6 and 1 1 
have not been amended to rewrite the claims in independent form including all of the 
limitations of the base claims and any intervening claims, because Applicants have 
addressed the formal rejections to the independent claims, which claims 6 and 1 1 depends 
from, above. Accordingly, it is respectfully requested that claims 6 and 1 1 be allowed. 

For at least the reasons discussed above, Applicants respectfully submit that the 
cited prior art references fails to disclose or suggest all of the elements of the claimed 
invention. These distinctions are more than sufficient to render the claimed invention 
unanticipated and unobvious. It is therefore respectfully requested that all of claims 1-18 
be allowed, and this application passed to issue. 

If for any reason the Examiner determines that the application is not now in 
condition for allowance, it is respectfully requested that the Examiner contact, by 
telephone, the applicants 1 undersigned attorney at the indicated telephone number to 
arrange for an interview to expedite the disposition of this application. 



-24- 



Application No. 10/785,407 



In the event this paper is not being timely filed, the applicants respectfully petition 
for an appropriate extension of time. Any fees for such an extension together with any 
additional fees may be charged to Counsel's Deposit Account 50-2222. 
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